Health, Education & Government Government & Public Sector Government IT & Digital Services

Government Data Services

Multi-agency, multi-stakeholder programs where procurement, compliance, and mission alignment determine success.

Palantir Socrata (Tyler) Esri CGI Federal
Inside this journey
  1. Pre-Discovery

    Align the room on outcomes, decision process, and constraints before deeper discovery.

    1. Stakeholder Alignment

      Confirm decision roles, timeline, mandatory compliance constraints (FedRAMP, FISMA, Privacy Act), and success signals for each stakeholder.

      Alignment Questions

      Starting Light: The One-Sentence Mission

      • In one sentence, what is the core mission you need this program to accomplish this fiscal year?
      • Which statutory or reporting mandate makes this work non-optional for your team? Options: OPEN Government Data Act, GPRAMA / Performance Reporting, Congressional Reporting Request, State-level federal reporting, Other
      • What is the fiscal-year deadline or milestone we must hit to be considered successful? Options: End of current fiscal year, Quarterly milestone (specify), Rolling delivery within fiscal year, No firm deadline yet, Other
      • Thinking about stakeholders at a high level, who is on the shortlist of people we should involve from day one?
      • Briefly describe any prior attempts or vendors you've engaged on this problem and what did/didn't work?

      Who Really Signs the Check? (And Who’s Listening)

      • If this project succeeds, whose career or program outcomes will visibly improve — and whose profile is most at risk if it fails? Options: Chief Data Officer, Agency CIO, Program Director, Budget/Finance Officer, Legal/OGC, Congressional Liaison, Other
      • Please identify the primary decision-maker, the approver, and two top influencers by name/role (or write 'TBD'):
      • Which of the following best describes each stakeholder’s formal decision authority for procurement and acceptance? Options: Approver (final signatory), Budget approver only, Technical approver/influencer, End-user/implementation owner, Advisory/influencer, Unknown
      • How do your stakeholders prefer to be briefed about risk and progress? Options: Formal monthly brief, Weekly tactical sync, Email updates, Ad hoc executive briefings, Dashboard access only
      • Who on the team is authorized to approve required security or privacy documentation (e.g., POA&Ms, Privacy Impact Assessments)? Options: CISO/ISSO, OCIO Security Lead, Privacy Officer, Program Manager, Contracting Officer, Unknown

      What Keeps You Awake at 3AM?

      • Which single compliance failure would be most damaging to your program’s credibility — a FedRAMP gap, FISMA deficiency, a Privacy Act breach, or something else? Options: FedRAMP authorization gap, FISMA audit finding, Privacy Act violation, Interagency data-sharing legal issue, Data breach/exfiltration, Loss of funding/Congressional scrutiny, Other
      • What recent audit findings, POA&Ms, or close calls should we know about (please summarize dates, severity, and current status)?
      • Which security or compliance controls do you currently lack or consider fragile? Options: Identity & access management, Encryption in transit/at rest, Centralized logging & SIEM, Automated FISMA evidence collection, Data minimization/PII controls, Formal interagency MOUs, Other
      • How does the possibility of an audit or Congressional question affect your willingness to accelerate vs. delay implementation? Options: Accelerate to show progress, Delay until more controls are in place, Mix: quick wins then hardening, Unsure
      • Describe how compliance risk lands emotionally in your leadership team—frustration, resignation, fear, or urgency? Options: High urgency/anxiety, Frustration but manageable, Resigned acceptance, Optimistic/confident

      Are We Just Shuffling Spreadsheets? (Reality of Your Data Landscape)

      • How would you describe where the mission-critical data currently lives? Options: On-prem relational DBs (Oracle/SQL), Mainframes / legacy flat files, Excel/Shared drives, SharePoint / Document stores, Cloud SaaS (vendor-owned), Other
      • Which of these describes your access control posture across those sources? Options: Role-based access enforced, Individual accounts with limited audit, Shared credentials or ad-hoc access, No formal access controls, Mixed/varies by system
      • Do you have auditable data lineage and metadata for the datasets we'll need for reporting? Options: Complete lineage & catalog, Partial lineage with gaps, Minimal metadata only, None — needs building
      • How fresh do the data need to be for your reporting use cases? Options: Near real-time, Daily, Weekly, Monthly, Ad-hoc
      • Which internal skill gaps hinder delivery the most? Options: Data engineering, Cloud/GovCloud ops, Security/FedRAMP expertise, Data governance & stewardship, Analytics/dashboarding, Contract management
      • Tell us a short story: a recent task that took far longer than it should because of data fragmentation—what happened and why?

      What Would Success Look Like in the Hearing Room?

      • If you were in front of the agency head or Congress, what three measurable outcomes would convince them this program succeeded? Options: On-time GPRAMA submission, OPEN Data Act compliance achieved, Dashboards available for briefing, Reduction in manual hours, Closure of FISMA deficiencies, Improved data quality scores
      • For each chosen outcome above, please provide the target metric or threshold (e.g., data quality score > 95%, reports delivered by X date):
      • Which stakeholders must formally sign off on acceptance criteria for those outcomes? Options: Program Manager, CIO/OCIO, CISO/ISSO, Data Steward, Budget/Finance, Legal/Privacy
      • How will success be measured operationally after handoff to ops (SLA, uptime, refresh cadence, runbook maturity)? Options: SLA metrics, Scheduled refresh cadence, Runbooks & playbooks, Monthly ops reviews, Shared backlog for enhancements
      • What political or fiscal constraints could force scope down even if the technical work is proven?

      Unmasking the Hidden Dependencies (The Things That Break Timelines)

      • Which external approvals, partners, or third parties could silently derail your timeline if they don't sign off as planned? Options: OGC/Legal, CIO Security/ACSC, Contracting/Procurement, FedRAMP PMO / CSP, Interagency data partners, State/local partners, Third-party vendor integrations
      • Which environment and authorization baselines are required before we can operate (choose all that apply)? Options: FedRAMP Moderate, FedRAMP High, FISMA documented controls, GovCloud AWS/Azure, On-prem only, Hybrid
      • Do standing interagency data-sharing agreements (MOUs, DTAs) already exist for the required data exchanges? Options: Yes — fully executed, In progress, Not started, Not applicable
      • What contracting vehicle would you prefer or require for fast procurement? Options: GSA IT Schedule 70, Agency BPA, IDIQ / Task Order, Direct award using other contract, TBD
      • Who needs to be in the escalation path if a technical or legal blocker appears mid-sprint (names/roles)?

      Let's Make a Practical Commitment (Smallest Test That Proves Value)

      • What is the smallest, time-boxed deliverable that would demonstrate value within 60 days? Options: 60-day data maturity assessment, Pilot ingestion + dashboard for one dataset, FedRAMP readiness gap analysis, Proof-of-concept API integration, Other
      • Do you have budget authority or earmarked funds for a 60–90 day pilot? If so, which band fits your current expectation? Options: <$250k, $250k–$500k, $500k–$1M, >$1M, No budget yet / TBD
      • Who is authorized to approve a statement of work or task order for the pilot? Options: Contracting Officer, Program Manager, CIO/OCIO, Budget/Finance, Other
      • What cadence for governance and progress reviews would make you comfortable (pick one)? Options: Weekly engineering sync, Bi-weekly steering committee, Monthly executive review, Ad hoc as needed
      • If we had agreement on a pilot, what are the top three roadblocks you would want us to resolve before kickoff?
    2. Current State Mapping

      Document legacy systems, data locations, access controls, audit findings, and staffing skill gaps that block delivery.

      Current State

      Opening: Tell Us About Today's Reality

      • What is the single most important data deliverable you must produce this fiscal year (e.g., OPEN Data Act dataset, GPRAMA metrics, congressional packet)?
      • Which office owns that deliverable? Options: Chief Data Officer (CDO), CIO/IT, Program Office/PM, Compliance/Oversight, Other
      • Roughly how many distinct source systems feed the data you need for that deliverable? Options: 1–5, 6–20, 21–50, 51–200, 200+
      • How would you describe the emotional impact of your current data situation on leaders—frustration, disbelief, resigned acceptance, or cautious optimism? Options: Frustration, Disbelief, Resigned acceptance, Cautious optimism, Other
      • If you could change one practical thing about your current environment right now, what would it be?

      Is Your Legacy Stack Quietly Blocking Delivery?

      • Which legacy platforms and data stores currently contain the mission data we must integrate? Options: Oracle, Mainframe (COBOL/flat files), SQL Server, PostgreSQL, SharePoint/Network drives, Document stores (e.g., Documentum), SaaS systems (e.g., ServiceNow), Custom on-prem apps, Other
      • For the primary systems you selected, which of these best describes how accessible the data is today? Options: Accessible via APIs, Direct DB connections allowed, Manual extracts only (spreadsheets), Exported nightly files, Not accessible without manual approval, Unknown
      • Which locations host that data (choose all that apply)? Options: On-prem datacenter, GovCloud (AWS/Azure/GCP), Commercial cloud, Local workstations, Physical media (tape/drives), Third-party contractor environment, Unknown
      • Tell us about typical extraction frequency for the datasets you rely on (daily, weekly, ad-hoc, etc.) and where that cadence breaks down.
      • Have prior integration attempts hit a specific technical blocker (e.g., incompatible schemas, lack of credentials, unsupported encryption), and how long has that been unresolved?

      Who Really Touches Your Data—and With What Permissions?

      • Who currently has access to the raw source data needed for reporting (internal roles and external partners)? Options: Program staff, CDO/analytics team, Agency contractors, Other agencies, Third‑party vendors, Public/No access
      • Which identity and access methods control that access today? Options: LDAP/AD, SAML/OAuth with IdP, Local DB accounts, Manual spreadsheet lists, VPN-only access, No formal access controls
      • How long does it take on average to provision or revoke access to a dataset or system? Options: Same day, 1–3 business days, 1–2 weeks, More than 2 weeks, Unknown
      • Are there role-based access matrices or documented data owners per dataset? If yes, share gaps or inconsistencies you've noticed. Options: Yes — complete and maintained, Partial — some datasets only, No — informal/unknown, Plan to create one
      • How comfortable are stewards with granting the minimum access needed for automated reporting vs. sharing full extracts? Options: Very comfortable, Somewhat comfortable, Hesitant, Refuse full automation

      What Audit Alarms Keep You Up at Night?

      • When auditors come asking, which open findings or controls do you expect they'll focus on first? Options: FISMA controls, FedRAMP gaps, Privacy Act/PII handling, Change management, Access controls/audit logs, Data integrity/lineage
      • How many open audit findings or corrective actions relate directly to data handling or reporting? Options: None, 1–3, 4–10, 11–25, 25+
      • Which of the following compliance artifacts do you currently have automated (e.g., evidence generation, control mapping, continuous monitoring)? Options: Automated evidence collection, Control mapping to systems, Continuous monitoring dashboards, Manual evidence only, None
      • How quickly could you produce a defensible audit package for your primary dataset today? Options: Same day, 1–3 days, 1–2 weeks, Longer than a month, Cannot produce
      • Tell us about a recent compliance surprise—what happened, how did it surface, and what impact did it have?

      Where Does Your Data Quality Break Down?

      • If we traced a sample record from source to report, where do you suspect we’d lose fidelity or context first? Options: Schema mismatches, Manual transformation errors, Missing metadata, Inconsistent identifiers, Stale extracts, Other
      • Do you currently measure data quality with scores, and if so, which dimensions are tracked? Options: Completeness, Accuracy, Timeliness, Uniqueness, Consistency, No formal scoring
      • How visible is lineage for your key data flows—could we diagram source→transform→report in under an hour? Options: Yes, fully documented, Partially documented, Fragmented across teams, No documentation
      • When quality issues appear, what is your typical remediation path and average time-to-fix? Options: Automated alert→fix in hours, Manual triage→days, Escalates to weeks, Unresolved/backlog
      • Give an example of a dataset where quality issues changed a program decision—what was the consequence?

      Who’s Doing the Heavy Lifting—And What’s Missing?

      • Which teams or roles are currently responsible for building and maintaining data pipelines? Options: In-house data engineers, Shared IT/devops, Program analysts, Contractors/vendors, No dedicated team
      • Do those individuals have FedRAMP/FISMA experience and the necessary clearances to work in government clouds? Options: Yes — team has experience & clearances, Some members do, No — we rely on contractors, Unknown
      • Where are the biggest skill gaps that slow progress (cloud architecture, API development, data modeling, security engineering, compliance automation)? Options: Cloud architecture, API development, Data modeling/ETL, Security/FISMA, Data governance/metadata, Other
      • How much of your delivery relies on contractors or one-off scripts that only one person understands? Options: Mostly contractors, Mix of staff & contractors, Mostly staff, Critical single-person dependencies exist
      • What would give your team confidence they could sustain a modern pipeline after vendor transition?

      If the Deadline Were Tomorrow, What Would Break?

      • What are the non-negotiable dates (fiscal deadlines, reporting windows, hearings) that drive your timeline? Options: End of fiscal year, Quarterly GPRAMA deadlines, Congressional hearing dates, Grant reporting deadlines, Other
      • Which dependencies most threaten meeting those dates (data latency, approvals, environment provisioning, staffing)? Options: Data latency, Security approvals, Environment setup, Interagency agreements, Staff availability
      • If we had to deliver a minimal, auditable dataset for your deadline, which compromises would you accept and which are non-starters?
      • What internal approval cycle (weeks to months) must we plan around to get sign-off on scope, security, and go-live? Options: Days, 1–2 weeks, 3–6 weeks, 2+ months
      • How will funding constraints this fiscal year affect delivery (firm budget, potential reprogramming, or uncertain funding)? Options: Firm budget, Possible reprogramming, Uncertain/contingent, Grant-funded

      How Do You Want the World to See Your Data?

      • Which levels of data sharing are permitted for your mission datasets (internal only, interagency, public release) under current policy? Options: Internal only, Interagency with agreements, Public release allowed, Case-by-case/Privacy Act restrictions
      • What privacy or legal constraints (Privacy Act, FOIA, specific statutes) limit how you can transform or release the data? Options: Privacy Act, PII/PHI restrictions, Statutory non-disclosure, Paperwork Reduction Act limits, None/unknown
      • Do you have established de‑identification or aggregation rules for public datasets, and who owns those policies? Options: Yes — documented and owned, Partial rules, No rules documented, Owned by legal/compliance
      • What would make interagency sharing faster for you—pre-built MOU templates, standardized APIs, or a trusted FedRAMP-hosted exchange? Options: Pre-built MOU templates, Standardized APIs, FedRAMP-hosted exchange, Other
      • How would you feel if certain datasets could be published publicly after automated redaction—excited, anxious, skeptical, or indifferent? Options: Excited, Anxious, Skeptical, Indifferent

      If We Had 60–90 Days to Show Progress, What Would You Expect?

      • What are three measurable interim milestones that would convince leadership the engagement is on track?
      • Which environments and credentials must be provisioned before engineering can begin (e.g., GovCloud account, service accounts, data extracts)? Options: GovCloud account, Service accounts/API keys, S3/secure buckets, VPN and bastion hosts, None/unknown
      • What acceptance criteria would you require for a 60‑day proof-of-concept (data lineage visibility, automated ingestion, basic dashboard)? Options: Lineage visibility, Automated ingestion, Baseline data quality scores, Preliminary dashboard, Compliance artifacts
      • Who must be in the room for weekly checkpoints and who has authority for scope decisions? Options: CDO, CIO, Program lead, Security officer/ISSO, Contracting officer, Other
      • What risks would cause you to pause or stop a sprint and who gets to make that call?

      Let's Capture Quick Facts for Prioritization

      • Which three data domains should we prioritize (e.g., finance, program performance, case records, geospatial)? Options: Finance & budget, Program performance, Case/beneficiary records, Geospatial, Operational logs, Other
      • Rank the top implementation constraints we should prioritize for mitigation (pick up to 3). Options: Security/FISMA controls, Data access approvals, Staff skills, Environment provisioning, Interagency agreements, Budget/funding
      • Which of these quick wins would be most valuable to you in month 1? Options: Automated nightly ingest of a critical dataset, Data lineage diagrams for a key pipeline, Baseline data quality dashboard, Access provisioning playbook, Compliance evidence snapshot
      • Is there an existing architecture diagram, data inventory, or audit report you can share to accelerate discovery? Options: Architecture diagram, Data inventory, Recent audit report, None available, Will provide on request
      • Finally, who should receive our formal discovery deliverable and who will be the primary point of contact?
  2. Outcome Discovery

    Define target outcomes (OPEN Data Act compliance, GPRAMA metrics, congressional reporting), success metrics, and fiscal-year delivery constraints.

    Discovery Questions

    Start Here: The One Outcome That Changes Everything

    • What single outcome would make leadership declare this project a success? Options: OPEN Data Act compliance (publishable datasets), GPRAMA performance metrics delivered, Congressional reporting-ready dashboards, Operational decision-support (timely analytics), Other
    • Why does that outcome matter now—what would change for your agency if it were achieved?
    • How urgent is this outcome on a scale that affects budgeting or hearings? Options: Immediate (this quarter), This fiscal year (non-negotiable), Within 12–18 months, Longer-term
    • Who inside the agency is ultimately accountable for signing off that the outcome is met? Options: CDO, CIO, Program Director, Grant/Program Office Director, Other
    • If we could capture one short paragraph describing success for stakeholders, what would you want it to say?

    If We Wrote Your Congressional Talking Points, What Would They Say?

    • Imagine a year from now an oversight committee asks for proof—what would it look like if you could genuinely say 'we have the data'?
    • Which exact performance metrics would you present to show measurable progress? Options: Percent datasets published, Time-to-publish (days), GPRAMA performance scores, Data quality score, Number of manual reconciliations eliminated, Other
    • Which audiences need to be convinced by those metrics (e.g., OMB, Congressional staff, Inspector General)? Options: OMB, Congressional committees, Inspector General, Agency leadership, State partners, Public stakeholders
    • Give a specific example of a report or dashboard that, if produced, would change the conversation in your next oversight meeting.
    • Who would publicly celebrate that deliverable—and who would still be asking questions?

    Which Deadlines Are Real—and Which Are Theater?

    • Which fiscal-year or statutory deadlines absolutely cannot slip, and what makes them immovable?
    • What are the real consequences of missing each named deadline (funding clawback, hearing, program interruption)? Options: Funding risk, Congressional hearing, Operational impact, Compliance violation, Reputational damage, Other
    • Are there windows (e.g., end-of-quarter, budget submission, testimony prep) when partial data would still be useful? Options: Yes — pilot data accepted, Only fully validated data, Depends on the audience, Unsure
    • How flexible is procurement/timing—can milestones shift if we produce higher-value outputs sooner? Options: Strictly fixed, Some flexibility with approvals, Open to negotiation
    • List the top three dates this fiscal year that define success for you (e.g., FY close, testimony date, GPRAMA submission).

    Why Would An Auditor Still Say ‘We Don’t Trust These Numbers’?

    • What specific data quality or lineage issues have auditors or internal reviewers already flagged?
    • Which datasets are most likely to be challenged for accuracy or completeness?
    • What percent of your reporting data is currently produced through manual processes (spreadsheets, manual reconciliations)? Options: 0-10%, 11-25%, 26-50%, 51-75%, 76-100%
    • Are there single points of failure (people, legacy scripts, FTP feeds) that threaten data trust during a handoff? Options: Named individuals, Legacy scripts, Batch file transfers, No single point identified, Other
    • Tell us about the last audit or FISMA finding related to reporting—what was the root cause and current remediation status?

    Who Will Be On The Record When The Data Is Presented?

    • Which internal stakeholders will be expected to defend the data in public forums (names and roles if possible)?
    • For each stakeholder group, what would success look like to them personally (e.g., fewer ad-hoc requests, cleaner audits, program wins)?
    • Who has veto authority over release of published datasets or dashboards? Options: CIO, CDO, General Counsel, Program Director, Privacy Officer, Other
    • Which offices hold the keys to data access (e.g., legacy system owners, mainframe team, FOIA/Privacy office)?
    • How would you describe the current level of political risk attached to this reporting effort? Options: High, Moderate, Low, Unknown

    Dealbreakers: What Would Make a Vendor Fail Immediately?

    • What security, privacy, or compliance requirements are absolute showstoppers for any provider?
    • Which FedRAMP authorization level or specific FISMA control families must the solution meet? Options: FedRAMP Low, FedRAMP Moderate, FedRAMP High, Specific FISMA controls required
    • Are there contract or acquisition vehicles we must use (e.g., IT Schedule 70, agency BPA), and are there restrictions on subcontractors? Options: GSA IT Schedule 70, Agency BPA, Other, No restriction/unsure
    • Do you require supplier personnel to hold specific clearances or citizenship requirements? Options: US Persons only, Specific clearance levels, No clearance required, Unsure
    • What logging, audit, and retention standards will you inspect before authorizing production access? Options: Syslog/centralized logs, Immutable audit trails, 90/180/365+ day retention, Encryption at rest/in transit, Other

    What Tradeoffs Are You Willing To Make To Hit This Fiscal-Year Goal?

    • If we had to choose, would you prioritize scope, accuracy, security, or delivery date—and why? Options: Scope, Accuracy, Security, Delivery date
    • Would you accept a phased approach that delivers a minimally compliant dataset first and iterates on quality later? Options: Yes, phased works, No—must be complete, Depends on dataset/audience
    • How much technical debt or temporary workarounds are you willing to tolerate for faster delivery? Options: None, Small and documented, Moderate with sunset plan, Open to pragmatic solutions
    • What level of ongoing operational support do you expect after initial delivery (SLA preferences, runbook, staffing)? Options: Full managed ops, Handover with runbook, Shared support model, Ad-hoc support
    • Are there budget or funding runway constraints that force a tradeoff decision this fiscal year? Options: Yes—fixed budget, Potential additional funds, Funded across FYs, Unsure

    Integration Reality Check: Will Your Legacy Stack Cooperate?

    • How many source systems must be integrated to produce the target reports, and can you list them?
    • Which systems already expose APIs or structured exports versus those that are file-based or manual? Options: APIs/structured exports, Batch file exports, Manual spreadsheets, Mainframe flat files, Other
    • How accessible are subject-matter owners and system administrators for scoping and data extraction work? Options: Highly accessible, Available with scheduling, Hard to reach, Unknown
    • Can we get a representative dataset or sample within 30 days to validate lineage and quality? Options: Yes—full sample available, Partial sample possible, More than 30 days, No
    • Are there technical constraints (network ports, cleared endpoints, on-prem-only systems) that would affect integration approach?

    Metrics You Can Say Out Loud In A Hearing

    • Name three metrics you would confidently present to Congress or OMB tomorrow, and why each matters.
    • What counts as green/yellow/red for each metric (numeric thresholds or examples)?
    • How often do these metrics need to refresh to be useful (daily, weekly, monthly, quarterly)? Options: Daily, Weekly, Monthly, Quarterly, Ad-hoc
    • Who will own measurement and cadence for each metric in ongoing operations?
    • What tools or reporting formats are mandated for official submissions (CSV, APIs, dashboard screenshots, formatted PDFs)? Options: CSV, API endpoints, Interactive dashboards, Formatted PDFs, Other

    Privacy & Data Sensitivity: What's Off-Limits?

    • Which datasets are restricted by the Privacy Act, HIPAA, or other statutes that limit sharing or publication?
    • What redaction, aggregation, or anonymization rules must be applied before any dataset is published?
    • Do you require privacy impact assessments (PIAs) or System of Records Notices (SORNs) updates as part of delivery? Options: Yes—PIA required, Yes—SORN required, Both, No/Unsure
    • Who in your organization signs off on privacy decisions (Privacy Officer, Legal, Program Office)? Options: Privacy Officer, General Counsel, Program Director, CDO, Other
    • What level of de-identification would you accept to enable public release while protecting individuals? Options: Aggregation only, Pseudonymization, Full de-identification, No release allowed

    What Would 'Good Enough' Look Like This Fiscal Year?

    • If we could deliver one publication or dashboard this fiscal year that materially reduces risk or effort, which would you choose?
    • Describe the minimal acceptance criteria for that deliverable—what must be true for you to sign it off?
    • How would you like handoff and operational monitoring to happen after acceptance (SLAs, runbooks, training)? Options: Full managed service, Handover with training, Train-the-trainer, Minimal handoff
    • What is a reasonable pilot scope and duration you’d approve today to prove value quickly? Options: 30 days, 60 days, 90 days, Longer
    • What follow-on capabilities should be prioritized after that first delivery? Options: Expanded datasets, Automated compliance artifacts, More dashboards, Interagency sharing, Other
  3. Solution Experience

    Walk through how a FedRAMP-native architecture and secure integrations will convert the agency’s scenarios into measurable reporting and dashboards.

    Experience Meetings

    • Current State & Consequence Alignment
    • Target Outcome Definition & Success Metrics
    • FedRAMP-native Architecture & Security Mapping
    • Integration & Data Pipeline Proofs (Scenario Walkthroughs)
    • Validation Plan, Pilot Acceptance & Next Steps
    • Agree the pilot scope and list of functional or compliance gaps to remediate before pilot execution.
    • Customer to supply baseline values for each KPI to enable delta measurement.
    • Sponsor to confirm fiscal-year priorities and any immovable deadlines for reporting.
    • Architecture Overview Tied to Future State
    • Demonstrate how the FedRAMP-native architecture directly eliminates current-state constraints and meets the defined future-state outcome.
    • Agree on the specific FedRAMP/FISMA controls and evidence required to satisfy audit and Privacy Act constraints for each scenario.
    • Establish clear, testable validation checkpoints for security and compliance acceptance.
    • Deliver an annotated architecture diagram overlaying each scenario and listed control mappings.
    • Produce a checklist of automated artifacts and manual evidence required for each control to support acceptance.
    • Schedule security SME follow-up to resolve any control gaps identified.
    • Preconditions & Test Dataset Check
    • Prove with concrete examples that pipelines convert customer scenarios into measurable reporting and dashboards that meet success metrics.
    • Confirm the customer validates that the demonstrated outputs and controls reflect their expectations.
    • Introductions & Objectives
    • Document all validation confirmations and any deviations observed during walkthroughs with proposed remediation steps.
    • Produce per-scenario runbooks that map source->pipeline->dashboard and the exact acceptance tests to run during the pilot.
    • Customer to approve the pilot dataset(s) and provide any remaining access or approvals required.
    • Recap Decisions & Agreed Statements
    • Obtain explicit mutual agreement on pilot acceptance criteria and the validation plan.
    • Finalize pilot timeline, sprint milestones, and assigned owners to ensure execution can start within the fiscal constraints.
    • Agree on risk mitigations and required compliance handoffs to prevent delays during deployment.
    • Finalize and circulate the pilot SOW with acceptance checklist and signed approvals required for kick-off.
    • Engineering to provision the FedRAMP test environment and confirm access for the agreed pilot dataset(s).
    • Assign owners for each acceptance test and schedule the pilot kick-off meeting with all required SMEs.
    • Agree on a single-sentence current-state statement that all parties can quote.
    • Document quantified consequences (cost, schedule, audit risk) tied to the current state.
    • Validate the 2–4 real agency scenarios and stakeholder success signals to be used in the Solution Experience.
    • Capture and publish the agreed one-sentence current-state and associated consequence metrics.
    • Customer to provide missing artifacts (audit findings, sample data extracts) identified during the meeting.
    • Identify technical and security SMEs required for downstream sessions and confirm availability.
    • Restate Current State & Consequence
    • Produce a single-sentence future-state that maps directly to customer pain and desired operational improvement.
    • Agree on specific, measurable success metrics and acceptance thresholds for each scenario.
    • Set prioritized delivery checkpoints aligned to the fiscal-year and reporting deadlines.
    • Document the future-state sentence and the full list of KPIs with measurement methods.
    • One-sentence Current State
    • Scenario-by-Scenario Data Flow Mapping
    • One-sentence Future State
    • Pilot Acceptance Checklist
    • Scenario A End-to-End Walkthrough
    • FedRAMP & FISMA Controls Mapping
    • Test Plan, Timeline & Sprint Milestones
    • Scenario B End-to-End Walkthrough
    • Map Outcomes to Reporting Requirements
    • Quantify Consequence
    • Define Success Metrics & Acceptance Thresholds
    • Risk, Escalation & Compliance Handoffs
    • Privacy Act & RBAC Guardrails
    • Demonstrate Data Quality, Lineage, and Automated Compliance Artifacts
    • Compliance & Constraints Review
    • Mutual Confirm & Next Meeting
    • Validation Checkpoints for Security & Compliance
    • Confirm Customer Scenarios & Success Signals
    • Fiscal-Year Constraints & Prioritization
    • Tieback & Validation Questions
    • Confirm Validation Methods
    • Capture Gaps & Decide Pilot Scope
    • Wrap-up & Prepping Next Session
  4. Solution Scope

    Define deliverables, modules (assessment, APIs, data lake, metadata, RBAC, compliance automation), responsibilities, and acceptance criteria.

    Scope Configuration

    • Deploy FedRAMP GovCloud Data Lake
    • Ingest Mainframe and Batch Files into Data Lake
    • Build Secure API Connectors to Legacy Systems
    • Implement Automated ETL Pipelines with Quality Scoring
    • Deploy Metadata Catalog and Data Lineage
    • Configure Role-Based Access Controls and Entitlements
    • Pseudonymize and De-identify Privacy-Sensitive Records
    • Implement FISMA Audit Logging and Evidence Collection
    • Develop Interactive Performance and GPRAMA Dashboards
    • Automate GPRAMA and Congressional Reporting Exports
    • Integrate Geospatial Analysis and Map Visualizations
    • Deploy Predictive Models and Operational Forecasting

    Scope Questions

    Deploy FedRAMP GovCloud Data Lake

    • Do you already have a GovCloud (FedRAMP-authorized) account/environment available for use? Options: Yes, No, Partially (sandbox only)
    • What FedRAMP authorization level is required for this deployment? Options: FedRAMP Low, FedRAMP Moderate, FedRAMP High, Unsure
    • Estimated initial raw data volume to host in the data lake (uncompressed)? Options: < 1 TB, 1–10 TB, 10–100 TB, > 100 TB, Unsure
    • Required data retention and archival policy (years and any legal requirements)?
    • Which GovCloud region(s) must data be stored in? Options: US-East (GovCloud), US-West (GovCloud), Multiple GovCloud regions, Any Fed region acceptable, Unsure
    • Encryption at rest and in transit requirements (customer-managed keys, HSM, KMS)? Options: Provider-managed KMS, Customer-managed KMS, HSM-backed keys required, No preference / Unsure
    • What availability/uptime SLA is required for the data lake? Options: 99.9%, 99.95%, 99.99%, Other / Unsure
    • Who is the agency owner(s) for cloud provisioning and billing (name/role)?

    Ingest Mainframe and Batch Files into Data Lake

    • Which legacy platforms produce the batch files (e.g., IBM z/OS, AS/400, Windows servers)? Options: IBM z/OS (mainframe), IBM i (AS/400), Windows/Linux batch servers, Other, Unsure
    • What file formats and record encodings are used (e.g., EBCDIC COBOL copybook, CSV, fixed-width)? Options: EBCDIC / COBOL copybook, Fixed-width, CSV/TSV, XML/JSON, Other, Unsure
    • Average and peak batch sizes and frequency (daily, hourly, weekly)? Options: Hourly, Daily, Weekly, Monthly, Ad-hoc
    • What transport/ingest mechanisms are permitted (e.g., SFTP, IBM MQ, API push, physical media)? Options: SFTP, IBM MQ / MQTT, API / HTTPS push, Physical media (tape), Other
    • Is near-real-time change-data-capture (CDC) required or are batch windows sufficient? Options: Batch only, Near-real-time CDC required, Both/Hybrid, Unsure
    • Are transformation/mapping rules available for mainframe data (copybooks, schemas) or need to be reverse engineered? Options: Schemas/copybooks provided, Partial documentation, None — reverse engineering required, Unsure
    • Do batch feeds contain PII/PHI or data subject to the Privacy Act? Options: Yes (PII/PHI present), No, Unknown / Need to assess
    • What nightly/ingest time windows are permissible for heavy batch jobs? Options: Standard business hours allowed, Restricted to after-hours, Agency-defined maintenance windows, Unsure

    Build Secure API Connectors to Legacy Systems

    • Which legacy systems require API connectors (list system names and owners)?
    • Do the legacy systems expose any APIs today (SOAP/REST) or will adapter development be required? Options: APIs available (REST/SOAP), Limited APIs, adapter work required, No APIs — adapter required, Unsure
    • What authentication and authorization methods must connectors support? Options: OAuth2, SAML, Mutual TLS, Basic Auth, Kerberos, API Key, Other
    • Expected throughput and concurrency requirements (requests/sec, payload sizes)?
    • Are there rate limits, maintenance windows, or change controls on the legacy systems? Options: Yes — strict limits, Yes — moderate limits, No, Unsure
    • Will connectors run inbound (legacy calls us) or outbound (we poll/push) or both? Options: Outbound (we poll/pull), Inbound (legacy pushes), Both
    • Do connectors require on-premise proxies or jump-boxes within agency networks? Options: Yes — on-prem proxy required, No — direct GovCloud access allowed, Hybrid / Unsure
    • What error handling, retry, and SLA expectations should connector implementations meet?

    Implement Automated ETL Pipelines with Quality Scoring

    • What cadence is required for ETL pipelines (real-time stream, micro-batch, nightly)? Options: Real-time/stream, Near-real-time (minutely), Hourly, Daily/nightly, Other
    • Which ETL/ELT tooling is preferred or mandated (e.g., Apache Spark, AWS Glue, dbt, Informatica)? Options: AWS Glue, Apache Spark, dbt, Informatica, Custom Python, Other, No preference
    • Which data quality dimensions must be measured (completeness, accuracy, timeliness, uniqueness, validity)? Options: Completeness, Accuracy, Timeliness, Uniqueness, Validity, Other
    • What quality thresholds trigger alerts or blocking (e.g., >5% nulls blocks load)?
    • Are test/QA datasets available to validate ETL before production runs? Options: Yes — full QA datasets, Partial test data, No — need synthetic or masked data
    • Do pipelines need schema evolution handling and automated backfills? Options: Yes — both schema evolution and backfills, Schema evolution only, Backfills only, No
    • Who owns data quality remediation (agency team, vendor, shared)? Options: Agency, Vendor, Shared/Joint
    • Should quality scores be surfaced in dashboards and metadata catalog automatically? Options: Yes, No, Unsure

    Deploy Metadata Catalog and Data Lineage

    • Do you require an automated metadata catalog that ingests dataset schemas, owners, and tags? Options: Yes — fully automated, Partial automation + manual curation, No — manual catalog only, Unsure
    • Which metadata fields matter most (business owner, sensitivity classification, source system, retention)? Options: Business owner, Data sensitivity/classification, Source system, Retention policy, PII flags, Other
    • Is automatic lineage capture required end-to-end (source → transformations → dashboards)? Options: Yes — full lineage, Partial lineage (pipeline-level), No
    • Do you have an existing taxonomy or tags we must map to, or should we propose one? Options: Existing taxonomy available, We need vendor to propose taxonomy, Unsure
    • Which user roles need search and discovery capabilities in the catalog (data stewards, analysts, executives)? Options: Data stewards, Analysts/data scientists, Program managers, Executive leadership, Other
    • Should lineage and metadata be exportable to compliance/reporting systems? Options: Yes — exportable, No, Unsure
    • Are there required integrations (ETL tool, BI tool, IAM) for the catalog?

    Configure Role-Based Access Controls and Entitlements

    • How many distinct user roles/profiles should be supported initially? Options: 1-5, 6-15, 16-50, 50+
    • Will role definitions be mapped to an existing IdP (e.g., ADFS, Okta, Azure AD) or defined locally? Options: Mapped to IdP, Local role store, Hybrid
    • Do you require attribute-based access control (ABAC) in addition to RBAC? Options: Yes — ABAC required, No — RBAC only, Unsure
    • Are temporary/external user accounts needed (contractors, interagency partners)? Options: Yes — contractors, Yes — interagency partners, No
    • What approval/workflow process is needed for granting or reviewing entitlements? Options: Automated approval workflow, Manual approval by manager, Quarterly entitlement review, Other
    • Do access controls need to be enforced at dataset, table, row, or column level? Options: Dataset-level, Table-level, Row-level, Column-level (field-level)
    • Should access requests and changes be logged for FISMA evidence collection? Options: Yes, No, Unsure

    Pseudonymize and De-identify Privacy-Sensitive Records

    • Which types of sensitive data are present and require de-identification (PII, PHI, financial)? Options: PII, PHI, Financial, Other, Unsure
    • What de-identification techniques are acceptable (masking, tokenization, hashing, generalization, differential privacy)? Options: Masking, Tokenization (reversible), Hashing (irreversible), Generalization/aggregation, Differential privacy, Other
    • Are reversible pseudonymization keys allowed to be stored by the vendor, or must keys be agency-managed? Options: Vendor-managed keys, Agency-managed keys, Hybrid / Unsure
    • Do business processes require re-identification for specific use cases (e.g., case management)? Options: Yes — re-ID needed for some use cases, No — no re-ID allowed, Unsure
    • Are de-identification transformations required upstream (before landing) or downstream (in curated layers)? Options: Upstream (ingest time), Downstream (post-ingest), Both, Unsure
    • Do you require statistical disclosure control and risk assessment (k-anonymity, l-diversity) before release? Options: Yes — statistical checks required, No, Unsure
    • What performance constraints exist for de-identification at scale (batch latency, realtime throughput)?

    Implement FISMA Audit Logging and Evidence Collection

    • Which logging sources must be captured (cloud platform logs, application logs, database access, IAM events)? Options: Cloud platform logs, Application logs, Database/audit logs, IAM/access events, Network logs, Other
    • What log retention period is required for audit evidence? Options: 90 days, 1 year, 3 years, 7 years, Agency-defined
    • Do logs need to be forwarded to an existing SIEM or Security Operations Center? Options: Yes — forward to existing SIEM, No — vendor SIEM acceptable, Unsure
    • Which NIST/SP controls (e.g., NIST 800-53 families) must be demonstrably supported by audit evidence?
    • Do you require automated evidence packages for auditors (control mappings, screenshots, config dumps)? Options: Yes — automated packages, No — ad-hoc evidence only, Partial automation
    • Should logging be tamper-evident and stored in write-once locations for chain-of-custody? Options: Yes, No, Unsure
    • Who is the primary point of contact for incident escalation and audit requests (name/role)?
  5. Mutual Commit

    Finalize contract vehicle, pricing, timelines, security responsibilities, and interagency data-sharing obligations.

    Agreement Modules

    • Statement of Work (SOW)
    • Contract Vehicle & Ordering Agreement
    • Master Services Agreement (MSA) / Master Contract Terms
    • Pricing & Billing Schedule
    • Security & ATO Responsibilities Addendum
    • Data Sharing Agreement / Interagency MOU
    • Privacy & PII Handling Agreement (PIA / Privacy Act Clauses)
    • Roles, Staffing & Clearances Matrix
    • Acceptance Testing & Validation Sign-off
    • Service Level Agreement (SLA) & Support
    • Change Order & Scope Modification Process
    • Termination, Transition & Data Handover Plan
    • Compliance Evidence & Audit Rights
    • Invoicing, Funding Certainty & Dispute Resolution
  6. Deployment

    Operationalize rollout with readiness checks, enablement, and outcome validation.

    1. Pre-Deployment Readiness

      Confirm environments, clearances, data access, FISMA controls, and interfaces are provisioned and authorized for execution.

      Readiness Questions

      Before We Flip the Switch

      • What is the primary driver for moving this project into deployment now? Options: Congressional reporting deadline, Fiscal-year deliverable, Audit remediation (FISMA), Interagency data-sharing need, Operational necessity, Other
      • Tell us about the last time your team shipped a system into production — what went well and what surprised you?
      • Which deployment window is your agency prioritizing? Options: Before the end of this quarter, Before fiscal-year end, After current procurement task order, Timing is flexible, Other
      • Are there immovable compliance or reporting dates that will force a go/no‑go decision? Options: Yes: Congressional/GPRAMA deadline, Yes: FISMA audit date, Yes: Interagency data agreement deadline, No fixed date, Unsure
      • If this deployment succeeds, what will leadership point to first as evidence of success?

      What Would Break Us If We Waited?

      • If deployment is delayed, what single risk keeps you awake at night?
      • What downstream impacts would a delayed deployment cause (e.g., missed reporting, lost funding, audit failure)? Options: Missed congressional reporting, Budgetary risk, Extended audit findings, Operational inefficiency, Contractual penalties, Other
      • Which interagency or external dependency is most likely to cause schedule slippage? Options: External data provider, Partner agency interface, Vendor schedule, Security authorization (ATO), Cloud provisioning, Other
      • How long can the program sustain a delay before mission impact becomes irreversible? Options: < 2 weeks, 2–6 weeks, 6–12 weeks, Several months, Unsure
      • Have past delays revealed a root cause we should address now? If so, what was it?

      Who Needs to Be in the Room (and Who's Missing)?

      • If one person could unilaterally stop the deployment, who would that be and why?
      • Which stakeholders must approve provisioning, data access, and security artifacts for go/no‑go? Options: CDO, CIO/Authorizing Official, Information System Security Officer (ISSO), Privacy Officer, Program Manager, Other
      • What clearance levels and background checks will engineers and reviewers need? Options: Public Trust, Secret, Top Secret, TS/SCI, No special clearance, Unsure
      • Are the named approvers regularly available during the proposed sprint schedule? Options: Yes — dedicated availability, Partially available — limited windows, Sporadic availability, Unavailable until later date
      • Who is the alternate decision owner if a primary approver is absent? Provide name and role.

      Do We Actually Have the Data Access We Need?

      • If our team arrived tomorrow with integrations ready but no dataset access, what would we be unable to do?
      • Please list the discrete data sources we will need to onboard during deployment (system name and owner).
      • How is access to each source provisioned today? Options: Direct DB connection, APIs (internal), APIs (external partner), File transfer/flat files, Manual exports/spreadsheets, Other
      • What sensitivity classifications apply to those sources (e.g., PII, SBU, Classified)? Options: Public, SBU/Confidential, PII, Privacy Act, High Risk/Critical, Classified
      • Who is the data steward for each source and how quickly can they issue access approvals? Options: Within 48 hours, 1–2 weeks, Several weeks, Longer / unknown

      Are the Environments Real or Paper Promises?

      • Which environment is most likely to fail a realistic load or security test and why?
      • Which of the following environments are provisioned and ready for use? Options: Development (Sandbox), Integration/Test, Staging/Pre-Prod, Production, Disaster Recovery, Not provisioned
      • For each environment you marked, what is the provisioning status? Options: Provisioned & smoke-tested, Provisioned, not tested, Requested, awaiting approval, Not requested
      • Are GovCloud regions, network peering, VPN/Direct Connect, and VPC routing configured and validated? Options: All configured & validated, Partially configured, Requested but not configured, Not applicable / Unsure
      • Who owns environment hardening and patching (agency, vendor, or shared) and what cadence is expected? Options: Agency-owned — agency cadence, Vendor-owned — vendor cadence, Shared — defined schedule, Undetermined
      • If any environment is not ready, what is the single blocking action preventing provisioning?

      Can We Prove Compliance Without a Paper Stack?

      • If auditors requested artifacts tomorrow, which controls could we prove automatically and which would require manual effort? Options: Automated evidence available, Mostly manual evidence, No evidence available, Partially automated
      • Which families of FISMA controls are in scope for this deployment (select all that apply)? Options: Access Control (AC), Audit & Accountability (AU), Configuration Management (CM), Identification & Authentication (IA), Incident Response (IR), System & Communications Protection (SC), Risk Assessment (RA)
      • Do you have baseline system security documentation (SSP), plan of actions (POA&M), and continuous monitoring plan that map to the environments? Options: Yes — current and mapped, Yes — partial, No — need to create, Unsure
      • Which compliance artifacts can we generate during deployment (e.g., automated logs, evidence of RBAC enforcement, change history)? Options: Audit logs, Role-based access evidence, Configuration snapshots, Data access records, Encryption & key management proofs, Other
      • Who is responsible for final ATO/ATO‑like signoff and what is their expected timeline?

      How Will Integrations Behave on Day One?

      • Which external interface is most likely to fail under real conditions, and what makes it fragile?
      • List the external systems, partner APIs, or legacy endpoints we must integrate with during the deployment.
      • What authentication and authorization mechanisms do these interfaces require? Options: OAuth2 / JWT, Mutual TLS, API keys, SAML, Host-based ACLs, Database credentials, Other
      • Are there sandboxes or test accounts available for each partner integration? Options: Yes — full sandbox, Limited test access, No — only production, Unsure
      • What SLAs, throughput, or latency expectations should integrations meet in production? Options: <100ms, <500ms, <1s, <5s, Batch/Non-real time
      • Who is the named contact at each partner system for escalation and access issues?

      If Things Go Wrong, Do We Know What to Do?

      • When the service degrades on day one, what exact threshold should trigger an operational page? Options: Data pipeline failure, Data quality below threshold, Authorization or outage in an upstream system, Critical job crash, Other
      • Do you have an incident response playbook that covers deployment-specific failure modes (integration loss, data corruption, permission errors)? Options: Comprehensive playbook exists, Playbook exists but incomplete, No playbook, Unsure
      • What rollback or mitigation strategies are acceptable to the program (e.g., pause ingestion, route to backup, roll forward with patch)? Options: Rollback to previous snapshot, Pause and queue, Use fallback feed, Hotfix and roll forward, Other
      • Where do we get forensic logs and tracing when something fails — and who has access to them? Options: Centralized logging (SIEM), Host-level logs only, Partner systems provide logs, Logs are limited / restricted
      • How should we communicate incidents to stakeholders, and who must be notified immediately?

      What Will 'Ready' Actually Look Like to Your Leadership?

      • Would leadership accept a phased readiness approach (minimal viable pipelines first) or insist on full feature parity at initial deploy? Options: Phased / MVP first, Full feature parity required, Hybrid — critical features first, Undecided
      • List the top 3 acceptance criteria that must be met before you consider the deployment successful.
      • What quantitative data quality thresholds must be met (e.g., completeness, accuracy, freshness)? Options: >99% completeness, >95% accuracy, Daily freshness, Weekly freshness, Other
      • What does a successful transition to operations look like (roles, SLAs, shared backlog, training)? Options: Agency-run operations, Vendor-run operations, Joint ops model, Short-term vendor support then handoff
      • Which metrics should we track for the first 90 days post-deploy to demonstrate mission value? Options: Timeliness of reports, Number of successful ingestions, Data quality scores, User adoption metrics, Incident count and MTTR, Other
      • Who will own the ongoing backlog of enhancements and who is their backup?
    2. Deployment Enablement

      Schedule sprints, assign engineering and agency owners, and execute integrations with clear milestones and escalation paths.

    3. Validation Checklist

      Verify data lineage, quality scores, role-based access, and automated compliance artifacts meet acceptance criteria.

      Validation Questions

      Start Here — Tell Us About Your Mission

      • Who are you (name, title) and which program or mission does this data effort support?
      • Which role best describes your primary relationship to this project? Options: Chief Data Officer, CIO/IT Leadership, Program/Operations Director, Security/InfoSec Officer, Procurement/Contracting Officer, Analytics Lead/Scientist, Other
      • What is the governing legal or reporting mandate driving urgency for this work? Options: OPEN Government Data Act, GPRAMA/Performance Reporting, Congressional Reporting Request, FISMA Compliance, Privacy Act / FOIA constraints, Other
      • When must the first meaningful deliverable be in place (fiscal quarter or date)? Options: Within 30 days, 30–60 days, 60–120 days, By end of current fiscal year, No hard deadline
      • Which procurement vehicle do you expect to use for this engagement? Options: GSA IT Schedule/BPA, Agency-specific BPA/IDIQ, Government-Wide Acquisition Contract (GWAC), Direct award/sole source, Unsure / Need guidance

      If We Did Nothing, What Would Break First?

      • What critical report, audit finding, or congressional ask would fail if no improvements were made this fiscal year?
      • How frequently do you face external reviews or audits that depend on this data? Options: Monthly, Quarterly, Annually, Ad-hoc / as requested
      • What specific audit findings or compliance gaps are on your remediation list right now?
      • If those failures occurred, what would be the likely consequence for the program (operational delay, funding risk, political scrutiny, other)? Options: Operational disruption, Loss of funding, Reputational/political risk, No immediate consequence, Other
      • Who in leadership feels the heat most when reporting or compliance slips? Options: CDO, CIO, Program Director, Chief Counsel/Legal, Deputy Secretary/Executive, Other

      Where Your Data Actually Lives (and Who Guards the Keys)

      • How many distinct source systems, databases, or file repositories are typically involved in producing a single performance metric? Options: 1–3, 4–7, 8–15, More than 15, Unknown
      • What types of systems hold that data? (select all that apply) Options: Mainframe / legacy flat files, Oracle / RDBMS, Federal SaaS applications, Spreadsheets / manual records, Document repositories / unstructured stores, Geospatial systems, Other
      • Are formal Data Owner or System Owner assignments documented for those sources today? Options: Yes, fully documented, Partially documented, Informally known, No / unknown
      • What level of data sensitivity and classification affects these sources? Options: Unclassified/public, Sensitive but unclassified (SBU), Controlled Unclassified Information (CUI), Privacy Act / Personally Identifiable Information (PII), Classified
      • Describe the current process for getting access to a critical source (who approves, how long, blockers).

      What's Slowing Your Team Down—Beyond Tech

      • What single human or process issue frustrates you most when attempting to produce reliable analytics?
      • Which staffing gaps matter most right now? Options: Data engineers, Cloud architects, Security/compliance analysts, Data stewards / catalog managers, BI/dashboard developers, Other
      • How long does it typically take your team to onboard a new data source into a reportable pipeline? Options: <2 weeks, 2–6 weeks, 6–12 weeks, 12+ weeks, Varies widely
      • How often do manual spreadsheets or ad-hoc data pulls still form the basis of your official reporting? Options: Always, Often, Occasionally, Rarely, Never
      • When delays happen, what emotions or political reactions tend to surface in leadership or partner agencies?

      If You Could Snap Your Fingers

      • If you could guarantee one measurable outcome from this engagement by year-end, what would it be?
      • Which of these outcomes would be highest priority for you? Options: Publish OPEN Data Act datasets, Deliver GPRAMA performance metrics, Close FISMA audit findings, Automate congressional reporting, Eliminate manual spreadsheet reporting, Other
      • For your chosen priority, what concrete metric would prove success (e.g., x% reduction in manual effort, y days to report)?
      • What constraints are non-negotiable for delivering that outcome (select all that apply)? Options: Must be FedRAMP-authorized environment, Complete within fiscal year, Operate within existing budget, No increase in headcount, Privacy Act protections enforced, Other
      • How would you and your leadership celebrate or communicate that success internally and to stakeholders?

      What Would Count as Risky to Your Leadership?

      • What single risk would make senior leadership pull the plug on this initiative?
      • Which of these concerns are most likely to stall approval? Options: Security/compliance gaps, Unclear ROI/cost overrun, Schedule slips, Interagency data-sharing objections, Vendor past performance, Other
      • How tolerant is leadership of iterative delivery with early pilots versus waiting for a full end-state? Options: High tolerance — prefer pilots, Moderate — need some milestones, Low — want complete solution before signoff, Undecided
      • What mitigation approach would make leadership comfortable (e.g., limited-scope pilot, escrow data access, formal SLA)?
      • Who must explicitly sign off on risk mitigations before work begins? Options: CDO, CIO, Chief Information Security Officer (CISO), Program Director, Legal/Privacy Office, Other

      How Do You Want to See the Solution?

      • Would you rather see a working pilot within 60 days or a full architecture and data governance plan first? Options: Working pilot in 60 days, Architecture & governance plan first, Both in parallel, Undecided — need guidance
      • What deployment environment is required or preferred for your agency? Options: FedRAMP High GovCloud (AWS), FedRAMP Moderate GovCloud, Agency on-premises, Hybrid (GovCloud + on-prem), Unsure / need recommendation
      • Which acceptance criteria will be non-negotiable for sign-off (select all that apply)? Options: Data lineage documented, Automated data quality scores, RBAC aligned with agency roles, FISMA control evidence automated, Successful pilot ingest of X sources, Other
      • Who will be the primary approver(s) for acceptance testing and why?
      • Are there internal policies or legacy constraints we must honor in the solution design (e.g., prohibited cloud regions, data retention rules)?

      Who Needs to Be On the Bus (and Who Might Say No)?

      • Which stakeholder could single-handedly block progress if they feel excluded or unheard? Options: CISO/CISO office, Legal/Privacy, Program Director, OMB or centralized authority, External partner agency, Other
      • List the core stakeholders who must be engaged for design, security, and acceptance (names/roles).
      • How do these stakeholders currently define success for their teams (select all that apply)? Options: Timely reporting, Audit readiness, Data-driven decisions, Reduced manual effort, Cost containment, Other
      • Who should be the day-to-day agency owner working with our engineering team? Options: Program Manager, Data Steward, IT System Owner, Other
      • What political or interagency sensitivities should we be aware of when approaching partners?

      The Reality of Access and Clearance

      • Is there any required clearance, enclave, or special environment that will block engineers from accessing key data? Options: Yes — requires special clearance, Yes — requires enclave access but no clearance, No — data accessible with standard PIV, Unknown
      • Which environments are currently provisioned and ready for development, testing, and production? Options: Dev available, Test/Staging available, Prod available, None available, Some partially provisioned
      • What FISMA control status describes your systems today? Options: Up-to-date POA&M cleared, POA&M present with scheduled remediation, Significant open findings, Not assessed / unknown
      • How long does it typically take to provision the necessary accounts, roles, and interfaces for a new vendor integration? Options: <2 weeks, 2–6 weeks, 6–12 weeks, 12+ weeks, Varies widely
      • Describe any recent experiences provisioning external partners—what worked and what bogged you down?

      Next Small Win — How Do We Start?

      • What one small, irreversible step would make continuing this program inevitable?
      • Which of these would you be willing to commit to as an initial step? Options: Approve a 60-day pilot SOW, Grant read-only access to one source, Designate an agency product owner, Allocate a small budget hold, Other
      • What sprint cadence feels realistic for your team (and will leadership accept)? Options: Weekly demos, Biweekly sprints, Monthly milestones, Quarterly checkpoints
      • Who is the escalation contact if a technical or security blocker jeopardizes the schedule? Options: CDO, CIO, CISO, Program Director, Other
      • What is your expected decision timeline for moving from discovery to a funded engagement? Options: Immediate / within 2 weeks, Within a month, 1–2 months, Longer than 2 months, Unsure
      • Is there anything else—political, technical, or cultural—that would help us design the right pilot or first step?
  7. Success

    Confirm outcomes, transition to operations, and maintain a shared backlog for issues and enhancements.

    Success Reviews

    • Outcomes Validation & Acceptance
    • Operations Transition & Runbook Handover
    • Backlog Prioritization & Continuous Improvement Planning
    • Compliance & Audit Closure Review
    • Executive Close-out & Lessons Learned

    Issues & Enhancements

    • Deliver a compliance package (links and checklist) to the agency compliance lead and archive per agency policy.
    • Deliver finalized runbook package and post to the agreed ops documentation repository.
    • Provision production access for named agency operators and verify logins.
    • Create incident simulation exercise (tabletop) to validate runbooks within 30 days.
    • Backlog Inventory Review
    • Establish a prioritized backlog and a documented triage/governance process for ongoing work.
    • Assign a product owner and delivery cadence to drive backlog resolution within fiscal constraints.
    • Define clear criteria for when items require contract/funding changes versus routine sprint work.
    • Publish the prioritized backlog in the shared tool with scoring and owners assigned.
    • Document and circulate the triage/governance process and approval authority matrix.
    • Schedule recurring backlog grooming sessions (e.g., biweekly) and the next sprint planning meeting.
    • Compliance Artifacts Inventory
    • Validate completeness of compliance artifacts required for FISMA/FedRAMP and Privacy Act obligations.
    • Ensure a documented POA&M exists for outstanding items with owners and realistic timelines.
    • Agree on an auditor engagement and evidence access process to reduce future audit friction.
    • Introductions & Meeting Objectives
    • Create/update POA&M entries for outstanding findings and assign remediation owners.
    • Schedule the first quarterly compliance health check and add it to the shared calendar.
    • One-Sentence Future State & Impact Summary
    • Secure executive acknowledgment of delivered outcomes and high-level sign-off for transition to operations.
    • Capture actionable lessons learned and assign ownership to implement process improvements.
    • Align on executive communications and any decisions impacting future funding or scope.
    • Produce and distribute an executive close-out brief summarizing outcomes, metrics, and next steps.
    • Document lessons learned with owners and timelines for implementing the top 3 improvements.
    • Confirm sponsorship/POC for the next-phase roadmap items and add to the backlog governance tracker.
    • Confirm whether each success criterion is met and obtain formal acceptance or a documented remediation plan.
    • Ensure both customer and seller share identical evidence and interpretation for each acceptance item.
    • Establish owners and timelines for any outstanding remediation with clear validation gates.
    • Produce an acceptance record summarizing pass/fail for each criterion and circulate for signatures.
    • Create remediation tickets for any open items with owners, acceptance tests, and deadlines.
    • Schedule re-validation meeting within agreed remediation window if required.
    • Operational Model Overview
    • Ensure operations team has documented runbooks, access, and permissions necessary to operate the environment.
    • Agree on monitoring and incident response procedures and confirm on-call / escalation roles.
    • Schedule and commit to training and shadowing sessions to complete handover.
    • One-Sentence Current State
    • Prioritization Framework & Criteria
    • Access & RBAC Handoff
    • Outcomes Snapshot & Metrics
    • Audit Findings Status & POA&M
    • Privacy Act & Data Sharing Controls
    • Triage & Governance Process
    • Runbook Walkthrough
    • Risk Residuals & Governance
    • Review of Success Criteria & Acceptance Checklist
    • Lessons Learned & Process Improvements
    • Evidence Walkthrough
    • Sprint Cadence & Delivery Model
    • Evidence Access & Auditor Engagement Plan
    • Monitoring, Alerts & Incident Response
    • Open Items & Risk Register
    • Backup, Restore & Business Continuity
    • Assignment & Metrics
    • Executive Decisions & Communications
    • Scheduled Compliance Health Checks
    • Acceptance Decision & Sign-off Logistics
    • Training & Knowledge Transfer Plan
    • Closure Actions & Reporting
    • Next Steps & Timeline for Remediation (if any)
First-Party AI

1-2 minutes please — Your AI agent is working

First-Party AI™ can make mistakes. Always check important information.